Mohit, WRT "We also have similar use-case as you specified in the scheme above but instead of LDAP server, we have an external authentication system which exposes REST interface. From zeppelin server, we can send REST calls to this system containing username/password and this system may respond with true/false in the response body. Does this sound doable to you? Any example implementations you may know to implement this? I am completely new to web space and so looking for referances to understand the implementation."
Are you trying to call some REST API from Zeppelin? Can you provide details on your REST scenario? What is it trying to do? It will create security leak if Zeppelin starts to sends some external system(other than one configured for authentication) both user/password. Thx On Thu, May 19, 2016 at 11:04 AM, Prasad Wagle <prasadwa...@gmail.com> wrote: > Hi Mohit, > > Does this sound doable to you? Any example implementations you may know to >> implement this? > > > Yes. I found an article "Complete example of custom realm" (link > <http://shiro-user.582556.n2.nabble.com/Complete-example-of-custom-realm-td6207177.html>) > which you may find useful. > > On Fri, May 13, 2016 at 8:07 PM, Mohit Gupta <mohit.mail...@gmail.com> > wrote: > >> Hi Prasad, >> >> I am building the binaries from the zeppelin master branch. I checked >> that PR 849 is not there in my build so I will pull the latest changes and >> build again and retry. >> >> We also have similar use-case as you specified in the scheme above but >> instead of LDAP server, we have an external authentication system which >> exposes REST interface. From zeppelin server, we can send REST calls to >> this system containing username/password and this system may respond with >> true/false in the response body. Does this sound doable to you? Any example >> implementations you may know to implement this? >> I am completely new to web space and so looking for referances to >> understand the implementation. >> >> Thanks >> Mohit >> >> On Fri, May 13, 2016 at 10:59 PM, Prasad Wagle <prasadwa...@gmail.com> >> wrote: >> >>> Hi Mohit, >>> >>> I think https://github.com/apache/incubator-zeppelin/pull/849 fixes the >>> problem you found. >>> >>> How are you getting the 0.6.0 zeppelin binary? Can you send me the link? >>> I am not sure if it has PR 849 which has been merged. >>> >>> I am not very familiar with Shiro. At Twitter we use the scheme >>> mentioned in the last paragraph of >>> https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html >>> >>> Another option is to have an authentication server that can verify user >>> credentials in an LDAP server. If an incoming request to the Zeppelin >>> server does not have a cookie with user information encrypted with the >>> authentication server public key, the user is redirected to the >>> authentication server. Once the user is verified, the authentication server >>> redirects the browser to a specific URL in the Zeppelin server which sets >>> the authentication cookie in the browser. The end result is that all >>> requests to the Zeppelin web server have the authentication cookie which >>> contains user and groups information. >>> >>> Prasad >>> >>> On Fri, May 13, 2016 at 7:45 AM, Mohit Gupta <mohit.mail...@gmail.com> >>> wrote: >>> >>>> Hi Prasad, >>>> >>>> Thanks for replying. >>>> >>>> I found that the erroneous behaviour in this case was due to >>>> globalSessionTimeout(in shiro.ini) being too low. I was mistaking it to be >>>> in seconds while it should be in msec. Configuring enough time to let >>>> session remain active, resolved the problem. >>>> >>>> However, I did notice that once the permissions, roles have been >>>> configured for a new notebook, we are not able to remove the already added >>>> users. Logs show that permissions got saved correctly as intended but on >>>> clicking the permission tab again, the removed user re-appers. Pls check >>>> the attached gif. >>>> >>>> Also, am looking for an example to configure shiro.ini to allow a >>>> third-party restful interface to be used as authentication system(node.js >>>> passport system in our case). Pls suggest any pointers if possible. >>>> >>>> >>>> Thanks >>>> Mohit >>>> >>>> >>>> >>>> On Fri, May 13, 2016 at 7:03 PM, Prasad Wagle <prasadwa...@gmail.com> >>>> wrote: >>>> >>>>> Hi Mohit, >>>>> >>>>> Re. 3: >>>>> >>>>> There are probably exceptions in the server log. Can you please send >>>>> that? >>>>> >>>>> > Am using zeppelin-0.6.0 binary package >>>>> Can you send me the link to download this? >>>>> >>>>> Thanks, >>>>> Prasad >>>>> >>>>> On Thu, May 12, 2016 at 11:10 PM, Mohit Gupta <mohit.mail...@gmail.com >>>>> > wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Can anyone pls give some pointers to below? >>>>>> >>>>>> >>>>>> (1) the timeout works well in shiro.ini but is there any way for user >>>>>> to explicitly logout from the connected session? >>>>>> >>>>>> (2) For the external authentication(passport for node.js) system, I >>>>>> forgot to mention that it exposes a Restful interface. So, can we make a >>>>>> Rest call from zeppeline server to this system passing username, password >>>>>> and the system(passport) will respond with just true or false based on >>>>>> whether user is authenticated or not. >>>>>> I need some help to implement this using zeppeline-shiro. Any links >>>>>> to understand how can we do it? >>>>>> >>>>>> (3) For the notebook level authentication, it always gives me error >>>>>> while trying to save the owner/reader/writer options. Pls check the >>>>>> attached screenshot. Steps I did were : logged-in as admin => created a >>>>>> notebook as "test4" => entered owner/reader/writer usernames => save >>>>>> [gives >>>>>> error as insufficeint permission]. Am using zeppelin-0.6.0 binary >>>>>> package. >>>>>> >>>>>> >>>>>> Thanks! >>>>>> >>>>>> >>>>>> On Thu, May 12, 2016 at 4:42 PM, Mohit Gupta <mohit.mail...@gmail.com >>>>>> > wrote: >>>>>> >>>>>>> Hi Prabhjyot, >>>>>>> >>>>>>> Thanks very much for the suggestions. I have following follow-ups if >>>>>>> you could spare some time on this : >>>>>>> >>>>>>> (1) the timeout works well in shiro.ini but is there any way for >>>>>>> user to explicitly logout from the connected session? >>>>>>> >>>>>>> (2) For the external authentication(passport for node.js) system, I >>>>>>> forgot to mention that it exposes a Restful interface. So, can we make a >>>>>>> Rest call from zeppeline server to this system passing username, >>>>>>> password >>>>>>> and the system(passport) will respond with just true or false based on >>>>>>> whether user is authenticated or not. >>>>>>> I need some help to implement this using zeppeline-shiro. Any links >>>>>>> to understand how can we do it? >>>>>>> >>>>>>> (3) For the notebook level authentication, it always gives me error >>>>>>> while trying to save the owner/reader/writer options. Pls check the >>>>>>> attached screenshot. Steps I did were : logged-in as admin => created a >>>>>>> notebook as "test4" => entered owner/reader/writer usernames => save >>>>>>> [gives >>>>>>> error as insufficeint permission]. Am using zeppelin-0.6.0 binary >>>>>>> package. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, May 10, 2016 at 4:03 PM, Prabhjyot Singh < >>>>>>> prabhjyotsi...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Mohit, >>>>>>>> >>>>>>>> Please find my answers in-line. >>>>>>>> >>>>>>>> On 10 May 2016 at 15:33, Mohit Gupta <mohit.mail...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> (1) I have recently started trying out Zeppeline and was trying to >>>>>>>>> configure the BasicAuth using shiro that comes packaged in the build. >>>>>>>>> It works well using the steps given in docs by doing foll : >>>>>>>>> >> comment out /** = annon and uncomment /** = authcBasic >>>>>>>>> >> turn zeppelin.anonymous.allowed to false >>>>>>>>> >>>>>>>>> However, once I have logged-in using one of the username/password >>>>>>>>> defined in conf/shiro.ini, how do I time-out this session? I want to >>>>>>>>> try >>>>>>>>> out with different log-ins but it appears that the token generated >>>>>>>>> using >>>>>>>>> the first successful login gets saved somewhere with the zeppeline >>>>>>>>> instance(note.json?) and it gets fetched on doing subsequent >>>>>>>>> accesses. I >>>>>>>>> have tried cleaning browser cache as well as removing the >>>>>>>>> "authenticationInfo" from note.json(Just for finding out where this >>>>>>>>> login >>>>>>>>> info is coming from) but that doesn't help. >>>>>>>>> >>>>>>>> >>>>>>>> For session timeout you can specify the same in shiro.ini file, >>>>>>>> right now its configured as 24Hours, but it can be changed. >>>>>>>> >>>>>>>> https://github.com/apache/incubator-zeppelin/blob/master/conf/shiro.ini#L35 >>>>>>>> But this dosen't work with *authcBasic *you have to use *authc* >>>>>>>> >>>>>>>> /** = authc >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> (2) I am also looking for some example to understand configuring >>>>>>>>> zeppeline with an external authentication server. We have a node.js >>>>>>>>> passport authentication system and it generates a token on validating >>>>>>>>> the >>>>>>>>> user. Is it possible to redirect the users coming to zeppline server >>>>>>>>> to >>>>>>>>> this authentication server? If yes, is there any sample config to >>>>>>>>> understand changes required? >>>>>>>>> Also, where do we specify the redirection link for authentication >>>>>>>>> server and how do we set the authentication cookie? >>>>>>>>> >>>>>>>> >>>>>>>> For SSO; this document should help you out >>>>>>>> http://shiro.apache.org/cas.html. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> (3) Does zeppeline supports keeping notebooks local to a user. >>>>>>>>> i.e. notebooks created by user A are not visible/accessible to any >>>>>>>>> other >>>>>>>>> user like user B? >>>>>>>>> >>>>>>>>> Yes, it does supports notebook level authorization. Here is a demo >>>>>>>> gif. >>>>>>>> >>>>>>>> https://cloud.githubusercontent.com/assets/870829/12711820/c70fa336-c877-11e5-84e8-e282231988b2.gif >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Pls help with any suggestions. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thankx and Regards, >>>>>>>> >>>>>>>> Prabhjyot Singh >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >>> >> > >
